I have a Cisco ASA5510 and articles related to ASA and mulitple Public IP says this cant be done. My question is how to best solve a scenario like this:

I have 3 zones, Outside, Inside and DMZ

Outside is Internet

Inside is Client machines

DMZ is a zone for servers related to external and internal services.

My scenario is a bit more complex, but to keep things simple this will do:

I want to place an Exchange server and a web server (externally reachable in the DMZ zone)

The webserver uses both TCP80/443, the Exchange server uses 443

So to the problem:
With the ASA only having one public IP, how would you make a DNAT to port 443 on both the internal hosts behind 1 Public IP? Usually, when i do this kind of scenario With Linux boxes i use alias Interfaces like eth0:0, eth0:1 and set 1 Public IP on each.

To me this must be a pretty common scenario, any ideas on how to solve it With ASA?

Your webserver and exchange require 443. You cannot map same port to 2 different IP addresses. I, personally use static command to map as many public IP addresses I have or need (on one of the firewalls I used around 25-30 IPs). Please look at static command.
–
SerhiySep 10 '12 at 13:52

1

I see your confusion. In ASA you do not need to assign public IP to interface to be able to use it. For sure only 1 public IP is needed and used for outside interface. For the rest of the public IP addresses use "static" command.
–
SerhiySep 10 '12 at 13:57

Most importantly, you haven't told us the ASA OS version you are running?
–
jwbensleySep 10 '12 at 14:02

3 Answers
3

First of all, if you truely only have one single public IP this isn't going to work trying to port forward the same port for two internal hosts.

If though you have a range of IPs, perhaps your ISP has given you a small /29 subnet, then you are in luck. If they are routing a /29 to your ASA then obviously as usual, you can only configure one IP on the outside interface but if it is receiving traffic for those additional IPs it can work with them.

(The below is an example from an ASA that gets assigned an IP over PPPoE and the ISP routes a /29 to that interface, but if for example your uplink is an Ethernet segment, ASAs can use proxy ARP).

As you haven't given the version of ASA OS you are running I can't more specific, so here is an example I have use, which is on 8.2. This is allowing RDP (port 3389) on a second public IP in the same subnet routed to the ASA, two a second internal hosts (I have included the default NAT rules etc so you can see the bigger picture).

Not sure what you mean by no traditional routing, but other than that I agree with you.
–
3moloSep 10 '12 at 11:03

Oh it supports traditional routing, but that isn't often used for inter-interface traffic - unless you disable nat-control, which rather defeats the point of using a firewall...
–
adaptrSep 10 '12 at 11:15

I dont quite agree but I guess this is not the right forum for that discussion.
–
3moloSep 10 '12 at 16:32

This is nothing out of the ordinary. It's true that the ASA device can't hold more than one IP per subnet.

It's however standard practice to USE more addresses. You can setup NAT for IP's not held by the ASA. The only requirements is that those addresses are routed to you by your provider - they don't even need to be in the same subnet as your link network.